An Introduction to Bisimulation and Coinduction Davide Sangiorgi - - PowerPoint PPT Presentation

An Introduction to Bisimulation and Coinduction

Davide Sangiorgi

Focus Team, INRIA (France)/University of Bologna (Italy)

Email: Davide.Sangiorgi@cs.unibo.it http://www.cs.unibo.it/˜sangio/ 18th Estonian Winter School in Computer Science, Palmse, Estonia, March 2013

Induction

– pervasive in Computer Science and Mathematics definition of objects, proofs of properties, ... – stratification finite lists, finite trees, natural numbers, ... – natural (least fixed points)

Coinduction

– less known discovered and studied in recent years – a growing interest – quite different from induction the dual of induction – no need of stratification

• bjects can be infinite, or circular

– natural (greatest fixed points)

page 1

Why coinduction: examples

– streams – real numbers – a process that continuously accepts interactions with the environment – memory cells with pointers (and possibly cylces) – graphs – objects on which we are unable to place size bounds (eg, a database, a stack) – objects that operate in non-fixed environments (eg, distributed systems)

page 2

Other examples

In a sequential language – definition of the terminating terms inductively, from the rules of the operational semantics – definition of the non-terminating terms ∗ the complement set of the terminating ones (an indirect definition) ∗ coinductively, from the rules of the operational semantics (a direct definition: more elegant, better for reasoning) In constructive mathematics – open sets a direct inductive definition – closet sets ∗ the complement set of the open ones ∗ a direct coinductive definition

page 3

Bisimulation

– the best known instance of coinduction – discovered in Concurrency Theory formalising the idea of behavioural equality on processes – one of the most important contributions of Concurrency Theory to CS (and beyond) – it has spurred the study of coinduction – in concurrency: the most studied behavioural equivalence many others have been proposed

page 4

Coinduction in programming languages

– widely used in concurrency theory ∗ to define equality on processes (fundamental !!) ∗ to prove equalities ∗ to justify algebraic laws ∗ to minimise the state space ∗ to abstract from certain details – functional languages and OO languages A major factor in the movement towards operationally-based techniques in PL semantics in the 90s – program analysis (see any book on program analysis) – verification tools: algorithms for computing gfp (for modal and temporal logics), tactics and heuristics

page 5

– Types ∗ type soundness ∗ coinductive types and definition by corecursion Infinite proofs in Coq ∗ recursive types (equality, subtyping, ...) A coinductive rule: Γ, p1, q1 ∼ p2, q2 ⊢ pi ∼ qi Γ ⊢ p1, q1 ∼ p2, q2 – Databases – Compiler correctness – ...

page 6

Other fields

Today bisimulation and coinduction also used in – Artificial Intelligence – Cognitive Science – Mathematics – Modal Logics – Philosophy – Physics mainly to explain phenomena involving some kind of circularity

page 7

Objectives of the course

At the end of the course, a student should: – have an idea of the meaning of bisimulation and coinduction – have a grasp of the duality between induction and coinduction – be able to read (simple) bisimulation proofs and coinductive definitions

page 8

Why induction and coinduction in this school

– fundamental notions for programming languages ∗ defining structures, objects ∗ reasoning on them (proofs, tools) – abstract, unifying notions – notions that will still be around when most present-day programming languages will be obsolete – an introduction to these notions that uses some very simple set theory

page 9

References

This course is based on the first 3 chapters of the book: Davide Sangiorgi, An introduction to bisimulation and coinduction, Cambridge University Press, October 2011

page 10

Outline

The success of bisimulation and coinduction Towards bisimulation, or: from functions to processes Bisimulation Induction and coinduction (Enhancements of the bisimulation proof method)

page 11

Towards bisimulation, or : from functions to processes

page 12

A very simple example: a vending machine

In your office you have a tea/coffee machine, a red box whose behaviour is described thus: – you put a coin – you are then allowed to press the tea button or the coffee button – after pressing the tea button you collect tea, after pressing the coffee button you collect coffee – after collecting the beverage, the services of machine are again available

page 13

Equivalence of machines

The machine breaks You need a new machine, with the same behaviour You show the description in the previous slide You get a red box machine that, when a tea or coffee button is pressed non-deterministically delivers tea or coffee After paying some money, you get another machine, a green box that behaves as you wanted

page 14

Questions

• 1. How can we specify formally the behaviour of the machines?
• 2. What does it mean that two machines “are the same”?
• 3. How do we prove that the first replacement machine is “wrong”, and that

the second replacement machine is “correct”? Answers from this course

• 1. Labelled Transitions Systems (automata-like)
• 2. Bisimulation
• 3. Coinduction

page 15

Processes?

We can think of sequential computations as mathematical objects, namely functions. Concurrent program are not functions, but processes. But what is a process? No universally-accepted mathematical answer. Hence we do not find in mathematics tools/concepts for the denotational semantics of concurrent languages, at least not as successful as those for the sequential ones.

page 16

Processes are not functions

A sequential imperative language can be viewed as a function from states to states. These two programs denote the same function from states to states: X := 2 and X := 1; X := X + 1 But now take a context with parallelism, such as [·] | X := 2. The program X := 2 | X := 2 always terminates with X = 2. This is not true (why?) for ( X := 1; X := X + 1 ) | X := 2 Therefore: Viewing processes as functions gives us a notion of equivalence that is not a congruence. In other words, such a semantics of processes as functions would not be compositional.

page 17

Furthermore: A concurrent program may not terminate, and yet perform meaningful computations (examples: an operating system, the controllers of a nuclear station or of a railway system). In sequential languages programs that do not terminate are undesirable; they are ‘wrong’. The behaviour of a concurrent program can be non-deterministic. Example: ( X := 1; X := X + 1 ) | X := 2 In a functional approach, non-determinism can be dealt with using powersets and powerdomains. This works for pure non-determinism, as in λx. (3 ⊕ 5) But not for parallelism.

page 18

What is a process? When are two processes behaviourally equivalent? These are basic, fundamental, questions; they have been at the core of the research in concurrency theory for the past 30 years. (They are still so today, although remarkable progress has been made) Fundamental for a model or a language on top of which we want to make proofs

page 19

Interaction

In the example at page 17 X := 2 and X := 1; X := X + 1 should be distinguished because they interact in a different way with the memory. Computation is interaction. Examples: access to a memory cell, interrogating a data base, selecting a programme in a washing machine, .... The participants of an interaction are processes (a cell, a data base, a washing machine, ...) The behaviour of a process should tell us when and how a process can interact with its environment

page 20

How to represent interaction: labelled transition systems

Definition A labeled transition system (LTS) is a triple (P, Act, T ) where – P is the set of states, or processes; – Act is the set of actions; (NB: can be infinite) – T ⊆ (P, Act, P) is the transition relation. We write P

µ

− → P ′ if (P, µ, P ′) ∈ T . Meaning: process P accepts an interaction with the environment where P performs action µ and then becomes process P ′. P ′ is a derivative of P if there are P1, . . . , Pn, µ1, . . . , µn s.t. P

µ1

− → P1 . . .

µn

− → Pn and Pn = P ′.

page 21

Example: the behaviour of our beloved vending machine

The behaviour is what we can observe, by interacting with the machine. We can represent such a behaviour as an LTS:

P3 tea P1 1c P2 collect−tea collect−coffee P4 coffee

where indicates the processes we are interested in (the “initial state”) NB: the color of the machine is irrelevant

page 22

The behaviour of the first replacement machine

Q2 collect−tea Q3 tea Q1 1c 1c Q4 collect−coffee Q5 coffee

page 23

Other examples of LTS

(we omit the name of the states)

a b a a b

Now we now: how to write beahviours Next: When should two behaviours be considered equal?

page 24

Equivalence of processes

Two processes should be equivalent if we cannot distinguish them by interacting with them. Example

P1 a P2 b

=

Q1 a Q2 b Q3 a

Can graph theory help? (equality is graph isomorphism) ... too strong (example above) What about automata theory? (equality is trace equivalence)

page 25

Examples of trace-equivalent processes:

b d a a c e

=

d a b c e a a b

=

a b

These equalities are OK on automata. ... but they are not on processes ( deadlock risk!)

page 26

For instance, you would not consider these two vending machines ‘the same’:

collect−tea tea 1c 1c collect−coffee coffee tea 1c collect−tea collect−coffee coffee

Trace equivalence (also called language equivalence) is still important in concurrency. Examples: confluent processes; liveness properties such as termination

page 27

These examples suggest that the notion of equivalence we seek: – should imply a tighter correspondence between transitions than language equivalence, – should be based on the informations that the transitions convey, and not

• n the shape of the diagrams.

Intuitively, what does it mean for an observer that two machines are equivalent? If you do something with one machine, you must be able to the same with the other, and on the two states which the machines evolve to the same is again true. This is the idea of equivalence that we are going to formalise; it is called bisimilarity.

page 28

Bisimulation and bisimilarity

We define bisimulation on a single LTS, because: the union of two LTSs is an LTS; we will often want to compare derivatives of the same process. Definition A relation R on processes is a bisimulation if whenever P R Q:

• 1. ∀µ, P ′ s.t. P

µ

− → P ′, then ∃Q′ such that Q

µ

− → Q′ and P ′ R Q′;

• 2. ∀µ, Q′ s.t. Q

µ

− → Q′, then ∃P ′ such that P

µ

− → P ′ and P ′ R Q′. P and Q are bisimilar, written P ∼ Q, if P R Q, for some bisimulation R. The bisimulation diagram: P R Q µ ↓ µ ↓ P ′ R Q′

page 29

Examples

Show P1 ∼ Q1 (easy, processes are deterministic):

P1 a P2 b Q1 a Q2 b Q3 a

page 30

Examples

Show P1 ∼ Q1 (easy, processes are deterministic):

P1 a P2 b Q1 a Q2 b Q3 a

First attempt for a bisimulation: R = {(P1, Q1), (P2, Q2)} Bisimulation diagrams for (P1, Q1): P1 R Q1

a ↓

a ↓ P2 Q2 P1 R Q1 a ↓ a ↓ P2 Q2

page 31

Examples

Show P1 ∼ Q1 (easy, processes are deterministic):

P1 a P2 b Q1 a Q2 b Q3 a

First attempt for a bisimulation: R = {(P1, Q1), (P2, Q2)} Bisimulation diagrams for (P1, Q1): P1 R Q1

a ↓

a ↓ P2 R Q2 P1 R Q1 a ↓ a ↓ P2 R Q2

page 32

Examples

Show P1 ∼ Q1 (easy, processes are deterministic):

P1 a P2 b Q1 a Q2 b Q3 a

First attempt for a bisimulation: R = {(P1, Q1), (P2, Q2)} Bisimulation diagrams for (P2, Q2): P2 R Q2

b ↓

b ↓ P1 R

• Q3

P2 R Q2 b ↓ b ↓ P1 R

• Q3

page 33

Examples

Show P1 ∼ Q1 (easy, processes are deterministic):

P1 a P2 b Q1 a Q2 b Q3 a

First attempt for a bisimulation: R = {(P1, Q1), (P2, Q2)} Bisimulation diagrams for (P2, Q2): P2 R Q2

b ↓

b ↓ P1 R

• Q3

P2 R Q2 b ↓ b ↓ P1 R

• Q3

page 34

Examples

Show P1 ∼ Q1 (easy, processes are deterministic):

P1 a P2 b Q1 a Q2 b Q3 a

A bisimulation: R = {(P1, Q1), (P2, Q2), (P1, Q3)} All diagrams are ok

page 35

Suppose we add a b-transition to Q2

b

− → Q1:

P1 a P2 b Q1 a Q2 b b Q3 a

In the original R = {(P1, Q1), (P2, Q2)} now the diagrams for (P2, Q2) look ok: P2 R Q2

b ↓

b ↓ P1 R Q1 P2 R Q2 b ↓ b ↓ P1 R Q1 R is still not a bisimulation: why?

page 36

Now we want to prove Q1 ∼ R1 (all processes but R4 are deterministic):

Q1 a Q2 b Q3 a R1 a R2 b R3 a R4 b b

Our initial guess: {(Q1, R1), (Q2, R2), (Q3, R3), (Q2, R4)} The diagram checks for the first 3 pairs are easy. On (Q2, R4): Q2 R R4

b ↓

b ↓ Q3 R R3 Q2 R R4 b ↓ b ↓ Q3 R R3 One diagram check is missing. Which one? R4 b − → R1

page 37

Now we want to prove Q1 ∼ R1 (all processes but R4 are deterministic):

Q1 a Q2 b Q3 a R1 a R2 b R3 a R4 b b

Our initial guess: {(Q1, R1), (Q2, R2), (Q3, R3), (Q2, R4)} The diagram checks for the first 3 pairs are easy. On (Q2, R4): Q2 R R4

b ↓

b ↓ Q3 R R3 Q2 R R4 b ↓ b ↓ Q3 R R3 The diagram for R4 b − → R1 is missing. Add (Q3, R1)

page 38

We want to prove M1 ∼ N1:

M1 a N1 a a M2 b a N2 a b N3 a b M3 b N4 b N5 b

page 39

A graphical representation of a bisimulation:

M1 a N1 a a M2 b a N2 a b N3 a b M3 b N4 b N5 b

{(M1, N1), (M2, N2), (M2, N3), (M3, N4), (M3, N5)}

page 40

Find an LTS with only two states, and in a bisimulation relation with the states of following LTS:

a R1 b R2 c b R3 b c

page 41

Take

a R1 b R2 c b R3 b c a R′ 1 b R b c

A bisimulation is {(R1, R′

1), (R2, R), (R3, R)}.

page 42

Examples: nondeterminism

Are the following processes bisimilar? P

• a
• b

c

• Q
• a

a

• b
• c
• R
• a

a a

• b
• b

c

• c
• page 43

P

• a
• b
• c

d

• Q
• a
• b

b

• c
• d
• R
• a

a

• b
• b
• c
• d
• page 44

Basic properties of bisimilarity

Theorem ∼ is an equivalence relation, i.e. the following hold:

• 1. P ∼ P (reflexivity)
• 2. P ∼ Q implies Q ∼ P (symmetry)
• 3. P ∼ Q and Q ∼ R imply P ∼ R (transitivity);

Corollary ∼ itself is a bisimulation. Exercise Prove the corollary. You have to show that ∪{R | R is a bisimulation } is a bisimulation.

page 45

The previous corollary suggests an alternative definition of ∼: Corollary ∼ is the largest relation on processes such that P ∼ Q implies:

• 1. ∀µ, P ′ s.t. P

µ

− → P ′, then ∃Q′ such that Q

µ

− → Q′ and P ′ ∼ Q′;

• 2. ∀µ, Q′ s.t. Q

µ

− → Q′, then ∃P ′ such that P

µ

− → P ′ and P ′ ∼ Q′.

page 46

Proof of transitivity

Hp: P ∼ Q and Q ∼ R. Th: P ∼ R. For P ∼ R, we need a bisimulation R with P R R. Since P ∼ Q and Q ∼ R, there are bisimulations R1 and R2 with P R1 Q and Q R2 R. Set R = {(P, R) | there is Q with P R1 Q and Q R2 R} Claim: R is a bisimulation. Take (P, R) ∈ R, because ∃ Q with P R1 Q and Q R2 R, with P

a

− → P ′: P R1 Q R2 R µ ↓ µ ↓ µ ↓ P ′ R1 Q′ R2 R′

page 47

Proof of symmetry

First, show that inverse of a bisimulation R is again a bisimulation: R−1 = {(P, Q) | Q R P } Now conclude: If P ∼ Q, there is a bisimulation R with P R Q. We also have Q R−1 P and R−1 is a bisimulation. Hence Q ∼ P .

page 48

An enhancement of the bisimulation proof method

We write P ∼R∼ Q if there are P ′, Q′ s.t. P ∼ P ′, P ′ R Q′, and Q′ ∼ Q (and alike for similar notations). Definition A relation R on processes is a bisimulation up-to ∼ if P R Q implies:

• 1. if P

µ

− → P ′, then there is Q′ such that Q

µ

− → Q′ and P ′ ∼R∼ Q′.

• 2. if Q

µ

− → Q′, then there is P ′ such that P

µ

− → P ′ and P ′ ∼R∼ Q′. Exercise If R is a bisimulation up-to ∼ then R ⊆∼. (Hint: prove that ∼ R ∼ is a bisimulation.)

page 49

Simulation

Definition A relation R on processes is a simulation if P R Q implies:

• 1. if P

µ

− → P ′, then there is Q′ such that Q

µ

− → Q′ and P ′ R Q′. P is simulated by Q, written P < Q, if P R Q, for some simulation R. Exercise Does P ∼ Q imply P < Q and Q < P ? What about the converse? (Hint for the second point: think about the 2nd equality at page 26.)

page 50

Exercize: quantifiers

Suppose the existential quantifiers in the definition of bisimulation were replaced by universal quantifiers. For instance, clause (1) would become: – for all P ′ with P

µ

− → P ′, and for all Q′ such that Q

µ

− → Q′, we have P ′ R Q′; and similarly for clause (2). Would these two (identical!) processes be bisimilar? What do you think bisimilarity would become? P

• a

a

• b
• c
• Q
• a

a

• b
• c
• page 51

Other equivalences: examples

We have seen: trace equivalence has deadlock problems, e.g.,

• a
• b

c

• =
• a

a

• b
• c
• Besides bisimilarity, many other solutions have been suggested, usually

inductive. Ex: using decorated traces, i.e., pairs a1 . . . an; S of a sequence of actions and a set of action P has a1 . . . an; S if: ∃R′ st P

a1

− → . . .

an

− → R′ and then R′

b

− → ⇔ b ∈ S The mathematical robustness of bisimilarity and the bisimulation proof method are however major advantages (i.e., on finite-state processes: bisimilarity is P-space complete, inductive equivalences are PSPACE-complete)

page 52

We have seen:

– the problem of equality between processes – representing behaviours: LTSs – graph theory, automata theory – bisimilarity – the bisimulation proof method – impredicativity (circularity) Bisimilarity and the bisimulation proof method: very different from the the usual, familiar inductive definitions and inductive proofs. They are examples of a coinductive definition and of a coinductive proof technique.

page 53

Induction and coinduction

– examples – duality – fixed-point theory

page 54

Examples of induction and coinduction

page 55

Mathematical induction

To prove a property for all natural numbers:

• 1. Show that the property holds at 0 (basis)
• 2. Show that, whenever the property holds at n, it also holds at n + 1

(inductive part) In a variant, step (2) becomes: Show that, whenever the property holds at all natural less than or equal to n, then it also holds at n + 1 NB: other variants are possible, modifying for instance the basis

page 56

Example of mathematical induction

1 + 2+. . . +n = n × (n + 1) 2 Basis: 1 = 1 × 2 2 Inductive step: (assume true at n, prove statement for n + 1) 1 + 2+. . . +n + (n + 1) = (inductive hypothesis) n × (n + 1) 2 + (n + 1) = n × (n + 1) 2 + 2 × (n + 1) 2 = n × (n + 1) + 2 × (n + 1) 2 = (n + 1) × (n + 2) 2 = (n + 1) × ((n + 1) + 1) 2

page 57

Rule induction: finite traces (may termination)

(assume only one label hence we drop it)

P1 P2 P7 P5 P3 P4 P6

A process stopped: it cannot do any transitions P has a finite trace, written P ⇂, if P has a finite sequence of transitions that lead to a stopped process Examples: P1, P2, P3, P5, P7 (how many finite traces for P2?) (inductive definition of ⇂) P ⇂ if (1) P is stopped (2) ∃ P ′ with P − → P ′ and P ′ ⇂ as rules: P stopped P ⇂ P − → P ′ P ′ ⇂ P ⇂

page 58

What is a set inductively defined by a set of rules?

...later, using some (very simple) fixed-point and lattice theory Now: 3 equivalent readings of inductive sets derived from the definition of inductive sets (we will show this for one reading)

page 59

Equivalent readings for ⇂

P stopped P ⇂ (AX) P − → P ′ P ′ ⇂ P ⇂ (INF) – The processes obtained with a finite proof from the rules

page 60

Equivalent readings for ⇂

P stopped P ⇂ (AX) P − → P ′ P ′ ⇂ P ⇂ (INF) – The processes obtained with a finite proof from the rules Example P1 − → P2 P2 − → P7 P7 stopped P7 ⇂ (AX) P2 ⇂ (INF) P1 ⇂ (INF)

P1 P2 P7 P5 P3 P4 P6

page 61

Equivalent readings for ⇂

P stopped P ⇂ (AX) P − → P ′ P ′ ⇂ P ⇂ (INF) – The processes obtained with a finite proof from the rules Example (another proof for P1; how many other proofs?) : P1 − → P2 P2 − → P1 P1 − → P2 P2 − → P7 P7 stopped P7 ⇂ P2 ⇂ P1 ⇂ P2 ⇂ P1 ⇂

P1 P2 P7 P5 P3 P4 P6

page 62

Equivalent readings for ⇂

P stopped P ⇂ (AX) P − → P ′ P ′ ⇂ P ⇂ (INF) – The processes obtained with a finite proof from the rules – the smallest set of processes that is closed forward under the rules; i.e., the smallest subset S of Pr (all processes) such that ∗ all stopped processes are in S; ∗ if there is P ′ with P − → P ′ and P ′ ∈ S, then also P ∈ S.

page 63

Equivalent readings for ⇂

P stopped P ⇂ (AX) P − → P ′ P ′ ⇂ P ⇂ (INF) – The processes obtained with a finite proof from the rules – the smallest set of processes that is closed forward under the rules; i.e., the smallest subset S of Pr (all processes) such that ∗ all stopped processes are in S; ∗ if there is P ′ with P − → P ′ and P ′ ∈ S, then also P ∈ S. Hence a proof technique for ⇂ (rule induction): given a property T on the processes (a subset of processes), to prove ⇂⊆ T (all processes in ⇂ have the property) show that T is closed forward under the rules.

page 64

Example of rule induction for finite traces

A partial function f, from processes to integers, that satisfies the following conditions: f(P ) = if P is stopped f(P ) = min{f(P ′) + 1 | P − → P ′ for some P ′ and f(P ′) is defined }

• therwise

(f can have any value, or even be undefined, if the set on which the min is taken is empty) We wish to prove f defined on processes with a finite trace (i.e., dom(⇂) ⊆ dom(f)) We can show that dom(f) is closed forward under the rules defining ⇂. Proof:

• 1. f(P ) is defined whenever P is stopped;
• 2. if there is P ′ with P −

→ P ′ and f(P ′) is defined, then also f(P ) is defined.

page 65

Equivalent readings for ⇂

P stopped P ⇂ (AX) P − → P ′ P ′ ⇂ P ⇂ (INF) – The processes obtained with a finite proof from the rules – the smallest set of processes that is closed forward under the rules; i.e., the smallest subset S of Pr (all processes) such that ∗ all stopped processes are in S; ∗ if there is P ′ with P − → P ′ and P ′ ∈ S, then also P ∈ S. – (iterative construction) Start from ∅; add all objects as in the axiom; repeat adding objects following the inference rule forwards

page 66

Rule coinduction definition: ω-traces (non-termination)

P1 P2 P7 P5 P3 P4 P6

P has an ω-trace, written P ↾, if it there is an infinite sequence of transitions starting from P . Examples: P1, P2, P4, P6 Coinductive definition of ↾: P − → P ′ P ′ ↾ P ↾

page 67

Equivalent readings for ⇂

P − → P ′ P ′ ↾ P ↾ – The processes obtained with an infinite proof from the rules

page 68

Equivalent readings for ⇂

P − → P ′ P ′ ↾ P ↾ – The processes obtained with an infinite proof from the rules Example P1 − → P2 P2 − → P1 P1 − → P2 . . . P2 ↾ P1 ↾ P2 ↾ P1 ↾

P1 P2 P7 P5 P3 P4 P6

page 69

Equivalent readings for ⇂

P − → P ′ P ′ ↾ P ↾ – The processes obtained with an infinite proof from the rules An invalid proof: P1 − → P3 P3 − → P5 ?? P5 ↾ P3 ↾ P1 ↾

P1 P2 P7 P5 P3 P4 P6

page 70

Equivalent readings for ⇂

P − → P ′ P ′ ↾ P ↾ – The processes obtained with an infinite proof from the rules – the largest set of processes that is closed backward under the rule; i.e., the largest subset S of processes such that if P ∈ S then ∗ there is P ′ such that P − → P ′ and P ′ ∈ S.

page 71

Equivalent readings for ⇂

P − → P ′ P ′ ↾ P ↾ – The processes obtained with an infinite proof from the rules – the largest set of processes that is closed backward under the rule; i.e., the largest subset S of processes such that if P ∈ S then ∗ there is P ′ such that P − → P ′ and P ′ ∈ S. Hence a proof technique for ↾ (rule coinduction): to prove that each process in a set T has an ω-trace show that T is closed backward under the rule.

page 72

Example of rule coinduction for ω-traces

P1 P2 P7 P5 P3 P4 P6

P − → P ′ P ′ ↾ P ↾ Suppose we want to prove P1 ↾ Proof T = {P1, P2} is closed backward : P1 − → P2 P2 ∈ T P1 ∈ T P2 − → P1 P1 ∈ T P2 ∈ T Another choice: T = {P1, P2, P4, P6} (correct, but more work in the proof) Would T = {P1, P2, P4} or T = {P1, P2, P3} be correct?

page 73

ω-traces in the bisimulation style

A predicate S on processes is ω-closed if whenever P ∈ S: – there is P ′ ∈ S such that P − → P ′. P has an ω-trace, written P ↾, if P ∈ S, for some ω-closed predicate S. The proof technique is explicit Compare with the definition of bisimilarity: A relation R on processes is a bisimulation if whenever P R Q:

• 1. ∀µ, P ′ s.t. P

µ

− → P ′, then ∃Q′ such that Q

µ

− → Q′ and P ′ R Q′;

• 2. ∀µ, Q′ s.t. Q

µ

− → Q′, then ∃P ′ such that P

µ

− → P ′ and P ′ R Q′. P and Q are bisimilar, written P ∼ Q, if P R Q, for some bisimulation R.

page 74

Equivalent readings for ⇂

P − → P ′ P ′ ↾ P ↾ – The processes obtained with an infinite proof from the rules – the largest set of processes that is closed backward under the rule; i.e., the largest subset S of processes such that if P ∈ S then ∗ there is P ′ ∈ S such that P − → P ′. – (iterative construction) start with the set Pr of all processes; repeatedly remove a process P from the set if one of these applies (the backward closure fails): ∗ P has no transitions ∗ all transitions from P lead to derivatives that are not anymore in the set.

page 75

An inductive definition: finite lists over a set A

nil ∈ L ℓ ∈ L a ∈ A a • ℓ ∈ L 3 equivalent readings (in the “forward” direction): – The objects obtained with a finite proof from the rules – The smallest set closed forward under these rules A set T is closed forward if: – nil ∈ T – ℓ ∈ T implies a • ℓ ∈ T , for all a ∈ A Inductive proof technique for lists: Let T be a predicate (a property)

• n lists. To prove that T holds on all lists, prove that T is closed forward

– (iterative construction) Start from ∅; add all objects as in the axiom; repeat adding objects following the inference rule forwards

page 76

A coinductive definition: finite and infinite lists over A

nil ∈ L ℓ ∈ L a ∈ A a • ℓ ∈ L 3 equivalent readings (in the “backward” direction) : – The objects that are conclusion of a finite or infinite proof from the rules – The largest set closed backward under these rules A set T is closed backward if ∀t ∈ T : – either t = nil – or t = a • ℓ, for some ℓ ∈ T and a ∈ A Coinduction proof method: to prove that ℓ is a finite or infinite list, find a set D with ℓ ∈ D and D closed backward – X = all (finite and infinite) strings of A ∪ {nil, , , •} Start from X (all strings) and keep removing strings, following the backward-closure

page 77

An inductive definition: convergence, in λ-calculus

Set of λ-terms (an inductive def!) e ::= x | λx. e | e1(e2) Convergence to a value (⇓), on closed λ-terms, call-by-name: λx. e ⇓ λx. e e1 ⇓ λx. e0 e0{e2 /

x} ⇓ e′

e1(e2) ⇓ e′ As before, ⇓ can be read in terms of finite proofs, limit of an iterative construction, or smallest set closed forward under these rules ⇓ is the smallest relation S on (closed) λ-terms s.t. – λx. e S λx. e for all abstractions, – if e1 S λx. e0 and e0{e2 /

x} S e′ then also e1(e2) S e′.

page 78

A coinductive definition: divergence in the λ-calculus

Divergence (⇑), on closed λ-terms, call-by-name: e1 ⇑ e1(e2) ⇑ e1 ⇓ λx. e0 e0{e2 /

x} ⇑

e1(e2) ⇑ The ‘closed backward’ reading: ⇑ is the largest predicate on λ-terms that is closed backward under these rules; i.e., the largest subset D of λ-terms s.t. if e ∈ D then – either e = e1(e2) and e1 ∈ D, – or e = e1(e2), e1 ⇓ λx. e0 and e0{e2 /

x} ∈ D.

Coinduction proof technique : to prove e ⇑, find E ⊆ Λ closed backward and with e ∈ E What is the smallest predicate closed backward?

page 79

The duality induction/coinduction

page 80

Constructors/destructors

– An inductive definition tells us what are the constructors for generating all the elements (cf: the forward closure). – A coinductive definition tells us what are the destructors for decomposing the elements (cf: the backward closure). The destructors show what we can observe of the elements (think of the elements as black boxes; the destructors tell us what we can do with them; this is clear in the case of infinite lists).

page 81

Definitions given by means of rules

– if the definition is inductive, we look for the smallest universe in which such rules live. – if it is coinductive, we look for the largest universe. – the inductive proof principle allows us to infer that the inductive set is included in a set (ie, has a given property) by proving that the set satisfies the forward closure; – the coinductive proof principle allows us to infer that a set is included in the coinductive set by proving that the given set satisfies the backward closure.

page 82

Forward and backward closures

A set T being closed forward intuitively means that for each rule whose premise is satisfied in T there is an element of T such that the element is the conclusion of the rule. In the backward closure for T , the order between the two quantified entities is swapped: for each element of T there is a rule whose premise is satisfied in T such that the element is the conclusion of the rule. In fixed-point theory, the duality between forward and backward closure will the duality between pre-fixed points and post-fixed points.

page 83

Congruences vs bisimulation equivalences

Congruence: an equivalence relation that respects the constructors of a language Example (λ-calculus) Consider the following rules, acting on pairs of (open) λ-terms: (x, x) (e1, e2) (e e1, e e2) (e1, e2) (e1 e, e2 e) (e1, e2) (λx. e1, λx. e2) A congruence: an equivalence relation closed forward under the rules The smallest such relation is syntactic equality: the identity relation In other words, congruence rules express syntactic constraints

page 84

Bisimulation equivalence: an equivalence relation that respects the destructors Example (λ-calculus, call-by-name) Consider the following rules e1 ⇑ e2 ⇑ (e1, e2) e1, e2 closed e1 ⇓ λx. e′

1

e2 ⇓ λx. e′

2

∪e′′ {(e′

1{e′′

/

x}, e′

2{e′′

/

x})}

(e1, e2) e1, e2, e′′ closed ∪σ {(e1σ, e2σ)} (e1, e2) e1, e2 non closed, σ closing substitution for e1, e2 A bisimulation equivalence: an equivalence relation closed backward under the rules The largest such relation is semantic equality: bisimilarity In other words, the bisimulation rules express semantic constraints

page 85

Substitutive relations vs bisimulations

In the duality between congruences and bisimulation equivalences, the equivalence requirement is not necessary. Leave it aside, we obtaining the duality between bisimulations and substitutive relations a relation is substitutive if whenever s and t are related, then any term t′ must be related to a term s′

• btained from t′ by replacing occurrences of t with s

page 86

Bisimilarity is a congruence

To be useful, a bisimilarity on a term language should be a congruence This leads to proofs where inductive and coinductive techniques are intertwined In certain languages, for instance higher-order languages, such proofs may be hard, and how to best combine induction and coinduction remains a research topic. What makes the combination delicate is that the rules on which congruence and bisimulation are defined — the rules for syntactic and semantic equality — are different.

page 87

Summary of the dualities

inductive definition coinductive definition induction proof principle coinduction proof principle constructors

• bservations

smallest universe largest universe ’forward closure’ in rules ’backward closure’ in rules congruence bisimulation equivalence substitutive relation bisimulation identity bisimilarity least fixed point greatest fixed point pre-fixed point post-fixed point algebra coalgebra syntax semantics semi-decidable set cosemi-decidable set strengthening of the candidate in proofs weakening of the candidate in proofs

page 88

We have seen:

– examples of induction and coinduction – 3 readings for the sets inductively and coinductively obtained from a set of rules – justifications for the induction and coinduction proof principles – the duality between induction and coinduction, informally

page 89

Remaining questions

– What is the definition of an inductive set? – From this definition, how do we derive the previous 3 readings for sets inductively and coinductively obtained from a set of rules? – How is the duality induction/coinduction formalised? What follows answers these questions. It is a simple application of fixed-point theory on complete lattices. To make things simpler, we work on powersets and fixed-point theory. (It is possible to be more general, working with universal algebras or category theory.)

page 90

Complete lattices and fixed-points

page 91

Complete lattices

The important example of complete lattice for us: powersets. For a given set X, the powerset of X, written ℘(X), is ℘(X)

def

= {T | T ⊆ X} ℘(X) is a complete lattice because: – it comes with a relation ⊆ (set inclusion) that is reflexive, transitive, and antisymmetric. – it is closed under union and intersection (∪ and ∩ give least upper bounds and greatest lower bounds for ⊆) A partially ordered set (or poset): a non-empty set with a relation

• n its elements that is reflexive, transitive, and antisymmetric.

A complete lattice: a poset with all joins (least upper bounds) and (hence) also all meets (greatest lower bounds).

page 92

Example of a complete lattice

• Two points x, y are in the relation ≤ if there is a path from x to y following

the directional edges (a path may also be empty, hence x ≤ x holds for all x)

page 93

A partially ordered set that is not a complete lattice

a b c d e f

Again, x ≤ y if there is a path from x to y

page 94

The Fixed-point Theorem

NB: Complete lattices are “dualisable” structures: reverse the arrows and you get another complete lattice. Similarly, statements on complete lattices can be dualised. For simplicity, we will focus on complete lattices produced by the powerset construction. But all statements can be generalised to arbitrary complete lattices Given a function F on a complete lattice: – F is monotone if x ≤ y implies F (x) ≤ F (y), for all x, y. – x is a pre-fixed point of F if F (x) ≤ x. Dually, x is a post-fixed point if x ≤ F (x). – x is a fixed point of F if F (x) = x (it is both pre- and post-fixed point) – The set of fixed points of F may have a least element, the least fixed point, and a greatest element, the greatest fixed point

page 95

Theorem [Fixed-point Theorem] If F : ℘(X) → ℘(X) is monotone, then lfp(F ) =

• {T | F (T ) ⊆ T }

gfp(F ) =

• {T | T ⊆ F (T )}

(the meet of the pre-fixed points, the join of the post-fixed points) NB: the theorem actually says more: the set of fixed points is itself a complete lattice, and the same for the sets of pre-fixed points and post-fixed points.

page 96

Proof of the Fixed-point Theorem

We consider one part of the statement (the other part is dual), namely gfp(F ) =

• {S | S ⊆ F (S)}

Set T = {S | S ⊆ F (S)}. We have to show T fixed point (it is then the greatest: any other fixed point is a post-fixed point, hence contained in T ) Proof of T ⊆ F (T ) For each S s.t. S ⊆ F (S) we have: S ⊆ T (def of T as a union) hence F (S) ⊆ F (T ) (monotonicity of F ) hence S ⊆ F (T ) (since S is a post-fixed point) We conclude F (T ) ⊇ {S | S ⊆ F (S)} = T

page 97

Proof of the Fixed-point Theorem

We consider one part of the statement (the other part is dual), namely gfp(F ) =

• {S | S ⊆ F (S)}

Set T = {S | S ⊆ F (S)}. We have to show T fixed point (it is then the greatest: any other fixed point is a post-fixed point, hence contained in T ) Proof of F (T ) ⊆ T We have T ⊆ F (T ) (just proved) hence F (T ) ⊆ F (F (T )) (monotonicity of F ) that is, F (T ) is a post-fixed point Done, by definition of T as a union of the post-fixed points.

page 98

Sets coinductively and inductively defined by F

Definition Given a complete lattice produced by the powerset construction, and an endofunction F on it, the sets: Find

def

=

• {x | F (x) ⊆ x}

Fcoind

def

=

• {x | x ⊆ F (x)}

are the sets inductively defined by F , and coinductively defined by F . By the Fixed-point Theorem, when F monotone: Find = lfp(F ) = least pre-fixed point of F Fcoind = gfp(F ) = greatest post-fixed point of F

page 99

It remains to show: a set of rules ⇔ a monotone function on a complete lattice a forward closure for the rules ⇔ a pre-fixed point for the function a backward closure for the rules ⇔ a post-fixed point for the function NB: all inductive and coinductive definitions can be given in terms of rules

page 100

Definitions by means of rules

Given a set X, a ground rule on X is a pair (S, x) with S ⊆ X and x ∈ X We can write a rule (S, x) as x1 . . . xn . . . x where {x1, . . . , xn, . . .} = S. A rule (∅, x) is an axiom

page 101

Definitions by means of rules

Given a set X, a ground rule on X is a pair (S, x) with S ⊆ X and x ∈ X We can write a rule (S, x) as x1 . . . xn . . . x where {x1, . . . , xn, . . .} = S. A rule (∅, x) is an axiom NB: previous rules, eg P − → P ′ P ′ ↾ P ↾ were not ground (P, P ′ are metavariables) The translation to ground rules is trivial (take all valid instantiations)

page 102

Definitions by means of rules

Given a set X, a ground rule on X is a pair (S, x) with S ⊆ X and x ∈ X We can write a rule (S, x) as x1 . . . xn . . . x where {x1, . . . , xn, . . .} = S. A rule (∅, x) is an axiom A set R of rules on X yields a monotone endofunction ΦR, called the functional of R (or rule functional), on the complete lattice ℘(X), where ΦR(T ) = {x | (T ′, x) ∈ R for some T ′ ⊆ T } Exercise Show ΦR monotone, and that every monotone operator on ℘(X) can be expressed as the functional of some set of rules.

page 103

By the Fixed-point Theorem there are least fixed point and greatest fixed point, lfp(ΦR) and gfp(ΦR), obtained via the join and meet in the theorem. They are indeed called the sets inductively and coinductively defined by the rules. Thus indeed: a set of rules ⇔ a monotone function on a complete lattice Next: pre-fixed points and forward closure (and dually)

page 104

What does it mean ΦR(T ) ⊆ T (ie, set T is a pre-fixed point of ΦR)? As ΦR(T ) = {x | (S, x) ∈ R for some S ⊆ T } it means: for all rules (S, x) ∈ R, if S ⊆ T (so that x ∈ ΦR(T )), then also x ∈ T . That is: (i) the conclusions of each axiom is in T ; (ii) each rule whose premises are in T has also the conclusion in T . This is precisely the ‘forward’ closure in previous examples. The Fixed-point Theorem tells us that the least fixed point is the least pre-fixed point: the set inductively defined by the rules is therefore the smallest set closed forward.

page 105

For rules, the induction proof principle, in turn, says: for a given T , if for all rules (S, x) ∈ R, S ⊆ T implies x ∈ T then (the set inductively defined by the rules) ⊆ T . As already seen discussing the forward closure, this is the familiar way of reasoning inductively on rules. (the assumption “S ⊆ T ” is the inductive hypothesis; the base of the induction is given by the axioms of R) We have recovered the principle of rule induction

page 106

Now the case of coinduction. Set T is a post-fixed if T ⊆ ΦR(T ) , where ΦR(T ) = {x | (T ′, x) ∈ R for some T ′ ⊆ T } This means: for all t ∈ T there is a rule (S, t) ∈ R with S ⊆ T This is precisely the ‘backward’ closure By Fixed-point Theory, the set coinductively defined by the rules is the largest set closed backward. The coinduction proof principle reads thus (principle of rule coinduction): for a given T , if for all x ∈ T there is a rule (S, x) ∈ R with S ⊆ T , then T ⊆ (the set coinductive defined by the rules) Exercise Let R be a set of ground rules, and suppose each rule has a non-empty premise. Show that lfp(ΦR) = ∅.

page 107

The examples, revisited

– the previous examples of rule induction and coinduction reduced to the fixed-point format – other induction principles reduced to rule induction

page 108

Finite traces

P stopped P ⇂ P

µ

− → P ′ P ′ ⇂ P ⇂ As ground rules, these become: R⇂

def

= {(∅, P ) | P is stopped} {({P ′}, P ) | P

µ

− → P ′ for some µ} This yields the following functional: ΦR⇂(T )

def

= {P | P is stopped, or there are P ′, µ with P ′ ∈ T and P

µ

− → P ′} The sets ‘closed forward’ are the pre-fixed points of ΦR⇂. Thus the smallest set closed forward and the associated proof technique become examples of inductively defined set and of induction proof principle.

page 109

ω-traces

P

µ

− → P ′ P ′ ↾ P ↾ As ground rules, this yields: R↾

def

= {({P ′}, P ) | P

µ

− → P ′} . This yields the following functional: ΦR↾(T )

def

= {P | there is P ′ ∈ T and P

µ

− → P ′} Thus the sets ‘closed backward’ are the post-fixed points of ΦR↾, and the largest set closed backward is the greatest fixed point of ΦR↾; Similarly, the proof technique for ω-traces is derived from the coinduction proof principle.

page 110

Finite lists (finLists)

The rule functional (from sets to sets) is: F (T )

def

= {nil} ∪ {a • ℓ | a ∈ A, ℓ ∈ T } F is monotone, and finLists = lfp(F ). (i.e., finLists is the smallest set solution to the equation L = nil + A • L). From the induction and coinduction principles, we infer: Suppose T ⊆ finLists. If F (T ) ⊆ T then T ⊆ finLists (hence T = finLists). Proving F (T ) ⊆ T requires proving – nil ∈ T ; – ℓ ∈ finLists ∩ T implies a • ℓ ∈ T , for all a ∈ A. This is the same as the familiar induction technique for lists

page 111

λ-calculus

In the case of ⇓, the rules manipulate pairs of closed λ-terms, thus they act

• n the set Λ0 × Λ0. The rule functional for ⇓, written Φ⇓, is

Φ⇓(T )

def

= {(e, e′) | e = e′ = λx. e′′ , for some e′′ } {(e, e′) | e = e1 e2 and ∃ e0 such that (e1, λx. e0) ∈ T and (e0{e2 /

x}, e′) ∈ T } .

In the case of ⇑, the rules are on Λ0. The rule functional for ⇑ is Φ⇑(T )

def

= {e1 e2 | e1 ∈ T, } {e1 e2 | e1 ⇓ λx. e0 and e0{e2 /

x} ∈ T }.

page 112

Mathematical induction

The rules (on the set {0, 1, . . .} of natural numbers or any set containing the natural numbers) are: n n + 1 (for all n ≥ 0) The natural numbers: the least fixed point of a rule functional. Principle of rule induction: if a property on the naturals holds at 0 and, whenever it holds at n, it also holds at n + 1, then the property is true for all naturals. This is the ordinary mathematical induction

page 113

A variant induction on the natural numbers: the inductive step assumes the property at all numbers less than or equal to n 0, 1, . . . , n n + 1 (for all n ≥ 0) These are the ground-rule translation of this (open) rule, where S is a property on the natural numbers: i ∈ S , ∀ i < j j ∈ S

page 114

Well-founded induction

Given a well-founded relation R on a set X, and a property T on X, to show that X ⊆ T (the property T holds at all elements of X), it suffices to prove that, for all x ∈ X: if y ∈ T for all y with y R x, then also x ∈ T . mathematical induction, structural induction can be seen as special cases Well-founded induction is indeed the natural generalisation of mathematical induction to sets and, as such, it is frequent to find it in Mathematics and Computer Science. Example: proof of a property reasoning on the lexicographical order on pairs of natural numbers

page 115

We can derive well-founded induction from fixed-point theory in the same way as we did for rule induction. In fact, we can reduce well-founded induction to rule induction taking as rules, for each x ∈ X, the pair (S, x) where S is the set {y | y R x} and R the well-founded relation. Note that the set inductively defined by the rules is precisely X; that is, any set equipped with a well-founded relation is an inductive set.

page 116

Transfinite induction

The extension of mathematical induction to ordinals Transfinite induction says that to prove that a property T on the ordinals holds at all ordinals, it suffices to prove, for all ordinals α: if β ∈ T for all

• rdinals β < α then also α ∈ T .

In proofs, this is usually split into three cases: (i) 0 ∈ T ; (ii) for each ordinal α, if α ∈ T then also α + 1 ∈ T ; (iii) for each limit ordinal β, if α ∈ T for all α < β then also β ∈ T .

page 117

Transfinite induction acts on the ordinals, which form a proper class rather than a set. As such, we cannot derive it from the fixed-point theory presented. However, in practice, transfinite induction is used to reason on sets, in cases where mathematical induction is not sufficient because the set has ’too many’ elements. In these cases, in the transfinite induction each ordinal is associated to an element of the set. Then the < relation on the ordinals is a well-founded relation on a set, so that transfinite induction becomes a special case of well-founded induction on sets. Another possibility: lifting the theory of induction to classes.

page 118

Other examples

Structural induction Induction on derivation proofs Transition induction ...

page 119

Back to bisimulation

– bisimilarity as a fixed point – bisimulation outside concurrency: equality on coinductive data

page 120

Bisimulation as a fixed-point

Definition Consider the following function F∼ : ℘(Pr×Pr) → ℘(Pr×Pr). F∼(R) is the set of all pairs (P, Q) s.t.:

• 1. ∀µ, P ′ s.t. P

µ

− → P ′, then ∃Q′ such that Q

µ

− → Q′ and P ′ R Q′;

• 2. ∀µ, Q′ s.t. Q

µ

− → Q′, then ∃P ′ such that P

µ

− → P ′ and P ′ R Q′. Proposition We have: – F∼ is monotone; – R is a bisimulation iff R ⊆ F∼(R); – ∼ = gfp(F∼).

page 121

Equality on coinductive data types

On infinite lists (more generally coinductively defined sets) proving equality may be delicate (they can be “infinite objects”, hence one cannot proceed inductively, eg on their depth) We can prove equalities adapting the idea of bisimulation. The coinductive definition tells us what can be observed We make this explicit in lists defining an LTS thus: a • s

a

− → s Lemma On finite-infinite lists, s = t if and only if s ∼ t.

page 122

Of course it is not necessary to define an LTS from lists. We can directly define a kind of bisimulation on lists, as follows: A relation R on lists is a list bisimulation if whenever (s, t) ∈ R then

• 1. s = nil implies t = nil;
• 2. s = a • s′ implies there is t′ such that t = a • t′ and (s′, t′) ∈

R Then list bisimilarity as the union of all list bisimulations.

page 123

To see how natural is the bisimulation method on lists, consider the following characterisation of equality between lists: nil = nil s1 = s2 a ∈ A a • s1 = a • s2 The inductive interpretation of the rules gives us equality on finite lists, as the least fixed point of the corresponding rule functional. The coinductive interpretation gives us equality on finite-infinite lists, and list bisimulation as associated proof technique. To see this, it suffices to note that the post-fixed points of the rule functional are precisely the list bisimulations; hence the greatest fixed point is list bisimilarity and, by the previous Lemma, it is also the equality relation.

page 124

Example

map f nil = nil map f (a • s) = f(a) • map f s iterate f a = a • iterate f f(a) Thus iterate f a builds the infinite list a • f(a) • f(f(a)) • . . . Show that, for all a ∈ A: map f (iterate f a) = iterate f f(a)

page 125

Proof

R

def

= {(map f (iterate f a), iterate f f(a)) | a ∈ A} is a bisimulation. Let (P, Q) ∈ R, for P

def

= map f (iterate f a) Q

def

= iterate f f(a) Applying the definitions of iterate, and of LTS Q = f(a) • iterate f f(f(a))

f(a)

− → iterate f f(f(a))

def

= Q′. Similarly, P = map f a • (iterate f f(a)) = f(a) • map f (iterate f f(a))

f(a)

− → map f (iterate f f(a))

def

= P ′ We have P ′ R Q′, as f(a) ∈ A. Done (we have showed that P and Q have a single transition, with same labels, and with derivatives in R)

page 126

CCS: a process calculus

page 127

Some simple process operators (from CCS)

P ::= P1 | P2 | P1 + P2 | µ. P | (νa) P | 0 | K where K is a constant Nil, written 0 : a terminated process, no transitions Prefixing (action sequentialisation) µ. P

µ

− → P PRE

page 128

Parallel composition P1

µ

− → P ′

1

P1 | P2

µ

− → P ′

1 | P2

PARL P2

µ

− → P ′

2

P1 | P2

µ

− → P1 | P ′

2

PARR P1

µ

− → P ′

1

P2

µ

− → P ′

2

P1 | P2

τ

− → P ′

1 | P ′ 2

COM As an example, the process P

def

= (a. 0 | b. 0) | a. 0 has the transitions P

a

− → (0 | b. 0) | a. 0 P

b

− → (a. 0 | 0) | a. 0 P

τ

− → (0 | b. 0) | 0 P

a

− → (a. 0 | b. 0) | 0

page 129

Choice P1

µ

− → P ′

1

P1 + P2

µ

− → P ′

1

SUML P2

µ

− → P ′

2

P1 + P2

µ

− → P ′

2

SUMR As an example, the process P

def

= (a. Q1 | a. Q2) + b. R has the transitions P

τ

− → Q1 | Q2 P

a

− → Q1 | a. Q2 P

a

− →

• a. Q1 | Q2

P

b

− → R Constants (Recursive process definitions) Each constant K has a behaviour specified by a set of transitions of the form K

µ

− → P . Example: K

a

− → K

page 130

A specification and an implementation of a counter

Take constants Countern, for n ≥ 0, with transitions Counter0

up

− → Counter1 and, for n > 0, Countern

up

− → Countern+1 Countern

down

− → Countern−1 . The initial state is Counter0 An implementation of the counter in term of a constant C with transition C

up

− → C | down. 0 . We want to show: Counter0 ∼ C

page 131

Proof R

def

= {(C | Πn

1 down. 0, Countern) | n ≥ 0} ,

is a bisimulation up-to ∼ Take (C | Πn

1 down. 0, Countern) in R.

Suppose C | Πn

1 down. 0 µ

− → P . By inspecting the inference rules for parallel composition: µ can only be either up or down. µ = up. the transition from C | Πn

1 down. 0 originates from C, which

performs the transition C

up

− → C | down. 0, and P = C | Πn+1

1

• down. 0.

Process Countern can answer Countern

up

− → Countern+1. For P = P ′ and Q = Countern+1, this closes the diagram.

page 132

The pair being inspected: (C | Πn

1 down. 0, Countern)

Action: C | Πn

1 down. 0 µ

− → P µ = down. It must be n > 0. The action must originate from one of the

• down. 0 components of Πn

1 down. 0, which has made the transition

• down. 0

down

− → 0. Therefore P = C | Πn

1 Pi, where exactly one Pi is 0 and all the others

are down. 0. we have: P ∼ C | Πn−1

1

• down. 0.

Process Countern can answer with the transition Countern

down

− → Countern−1. This closes the diagram, for P ′

def

= C | Πn−1

1

• down. 0 and

Q

def

= Countern−1, as P ′ R Q. The case when Countern moves first and C | Πn

1 down. 0 has to answer is

similar.

page 133

Weak bisimulation

page 134

Consider the processes τ. a. 0 and

• a. 0

They are not strongly bisimilar. But we do want to regard them as behaviourally equivalent! τ-transitions represent internal activities of processes, which are not visible. (Analogy in functional languages: (λx. x)3 and 3 are semantically the same.) Internal work (τ-transitions) should be ignored in the bisimulation game. Define: (i) = ⇒ as the reflexive and transitive closure of

τ

− →. (ii)

µ

= ⇒ as = ⇒

µ

− →= ⇒ (relational composition). (iii)

• µ

= ⇒ is = ⇒ if µ = τ; it is

µ

= ⇒ otherwise.

page 135

Definition A process relation R is a weak bisimulation if P R Q implies:

• 1. if P

µ

= ⇒ P ′, then there is Q′ s.t. Q

• µ

= ⇒ Q′ and P ′ R Q′;

• 2. the converse of (1) on the actions from Q.

Definition P and Q are weakly bisimilar, written P ≈ Q, if P R Q for some weak bisimulation R. Why did we study strong bisimulation? – ∼ is simpler to work with, and ∼⊆≈; (cf: exp. law) – the theory of ≈ is in many aspects similar to that of ∼; – the differences between ∼ and ≈ correspond to subtle points in the theory of ≈ Are the processes τ. 0 + τ. a. 0 and a. 0 weakly bisimilar ?

page 136

Examples of non-equivalence: a + b ≈ a + τ. b ≈ τ. a + τ. b ≈ a + b Examples of equivalence: τ. a ≈ a ≈ a + τ. a

• a. (b + τ. c) ≈ a. (b + τ. c) + a. c

These are instances of useful algebraic laws, called the τ laws: Lemma

• 1. P ≈ τ. P
• 2. τ. N + N ≈ N
• 3. M + α. (N + τ. P ) ≈ M + α. (N + τ. P ) + α. P

page 137

In the clauses of weak bisimulation, the use of

µ

= ⇒ on the challenger side can be heavy. For instance, take K ⊜ τ. (a | K); for all n, we have K = ⇒ (a |)n | K, and all these transitions have to be taken into account in the bisimulation game. The following definition is much simpler to use: Definition A process relation R is a weak bisimulation if P R Q implies:

• 1. if P

µ

− → P ′, then there is Q′ s.t. Q

• µ

= ⇒ Q′ and P ′ R Q′;

• 2. the converse of (1) on the actions from Q

Proposition The two definitions of weak bisimulation coincide. Proof: a useful exercise.

page 138

Weak bisimulations “up-to”

Definition [weak bisimulation up-to ∼] A process relation R is a weak bisimulation up-to ∼ if P R Q implies:

• 1. if P

µ

− → P ′, then there is Q′ s.t. Q

• µ

= ⇒ Q′ and P ′ ∼R∼ Q′;

• 2. the converse of (1) on the actions from Q.

Exercize If R is a weak bisimulation up-to ∼ then R ⊆≈. Definition [weak bisimulation up-to ≈] A process relation R is a weak bisimulation up-to ≈ if P R Q implies:

• 1. if P

µ

= ⇒ P ′, then there is Q′ s.t. Q

• µ

= ⇒ Q′ and P ′ ≈R≈ Q′;

• 2. the converse of (1) on the actions from Q.

Exercize If R is a weak bisimulation up-to ≈ then R ⊆≈.

page 139

Enhancements of the bisimulation proof method

– The forms of “up-to” techniques we have seen are examples of enhancements of the bisimulation proof method – Such enhancements are extremely useful ∗ They are essential in π-calculus-like languages, higher-order languages – Various forms of enhancement (“up-to techniques”) exist (up-to context, up-to substitution, etc.) – They are subtle, and not well-understood yet

page 140

Example: up-to bisimilarity that fails

In Definition of “weak bisimulation up-to ∼” we cannot replace ∼ with ≈ : τ. a. 0 R

• a. 0

≈ ≈ τ. a. 0 R

page 141

Other equivalences

page 142

Concurrency theory: models of processes

LTS Petri Nets Mazurkiewikz traces Event structures I/O automata

page 143

Process calculi

CCS [→ π-calculus → Join ] CSP ACP Additional features: real-time, probability,...

page 144

Behavioural equivalences (and preorders)

traces bisimilarity (in various forms) failures and testing non-interleaving equivalences (in which parallelism cannot be reduced to non-determinism, cf. the expansion law) [causality, location-based] Depending on the desired level of abstraction or on the tools available, an equivalence may be better than an other. van Glabbeek, in ’93, listed more than 50 forms of behavioural equivalence, today the listing would be even longer Rob J. van Glabbeek: The Linear Time - Branching Time Spectrum II, LNCS 715, 1993

page 145

Failure equivalence

In CSP equivalence, it is intended that the observations are those obtained from all possible finite experiments with the process A failure is a pair (µ+, A), where µ+ is a trace and A a set of actions. The failure (µ+, A) belongs to process P if – P

µ+

− → P ′, for some P ′ – not P ′

τ

− → – not P ′

a

− →, for all a ∈ A Example: P

def

= a. (b. c. 0 + b. d. 0) has the following failures: – (ǫ, A) for all A with a ∈ A. – (a, A) for all A with b ∈ A. – (ab, A) for all A with {c, d} ⊆ A. – (abc, A) and (abd, A), for all A Two processes are failure-equivalent if they possess the same failures

page 146

Advantages of failure equivalence: – the coarsest equivalence sensitive to deadlock – characterisation as testing equivalence Advantages of bisimilarity: – the coinductive technique – the finest reasonable behavioural equivalence for processes – robust mathematical characterisations Failure is not preserved, for instance, by certain forms of priority

page 147

These processes are failure equivalent but not bisimilar

• c
• a
• b

b

• d
• b
• c
• a

a

• b
• d
• A law valid for failure but not for bisimilarity:
• a. (b. P + b. Q) = a. b. P + a. b. Q

page 148

Ready equivalence

A similar, but slightly finer, equivalence: ready equivalence. A pair (µ+, A) is a ready pair of P if P

µ+

− → P ′ and A is the set of action that P ′ can immediately perform. These processes are failure, but not ready, equivalent:

• a. b + a. c
• a. b + a. c + a. (b + c)

page 149

Testing

page 150

The testing theme

Processes should be equivalent unless there is some test that can tell them apart – We first show how to capture bisimilarity this way – Then we will notice that there are other reasonable ways of defining the language of tests, and these may lead to different semantic notions. – In this section: processes are (image-finte) LTSs (ie, finitely-branching labelled trees), with labels from a given alphabet of actions Act

page 151

Bisimulation in a testing scenario

Language for testing: T ::= SUCC | FAIL | a. T |

• a. T | T1 ∧ T2 | T1 ∨ T2 | ∀T | ∃T

(a ∈ Act) The outcomes of an experiment, testing a process P with a test T : O(T, P ) ⊆ {⊤, ⊥} ⊤ :success ⊥ : lack of success (failure, or success is never reached) Notation: P ref(a)

def

= P cannot perform a (ie, there is no P ′ st P

a

− → P ′)

page 152

Outcomes

O(SUCC, P ) = ⊤ O(FAIL, P ) = ⊥ O(a. T, P ) =

• {⊥}

if P ref(a) {O(T, P ′) | P

a

− → P ′}

• therwise

O(

• a. T, P ) =
• {⊤}

if P ref(a) {O(T, P ′) | P

a

− → P ′}

• therwise

O(T1 ∧ T2, P ) = O(T1, P ) ∧⋆ O(T1, P ) O(T1 ∨ T2, P ) = O(T1, P ) ∨⋆ O(T1, P ) O(∀T, P ) = {⊤} if ⊥ ∈ O(T, P ) {⊥}

• therwise

O(∃T, P ) = {⊤} if ⊤ ∈ O(T, P ) {⊥}

• therwise

where ∧⋆ and ∨⋆ are the pointwise extensions of ∧ and ∨ to powersets

page 153

Examples (a)

• a
• b

c

• a

a

• b
• c
• P1

P2

For T1 = a. (b. SUCC ∧ c. SUCC), we have O(T1, P1) = {⊤} and O(T1, P2) = {⊥}

page 154

Examples (b)

• a

a

• b
• a
• b
• P3

P4

For T3 = a. b. SUCC, we have O(T3, P3) = {⊥, ⊤} and O(T3, P4) = {⊤} For T4 = a.

• b. FAIL, we have O(T4, P3) = {⊥, ⊤} and O(T4, P4) = {⊥}

page 155

Examples (c)

• a

a

• b
• b
• c
• d
• a
• b

b

• c
• d
• P5

P6

For T = ∃a. ∀b. c. SUCC, we have O(T, P5) = {⊤} and O(T, P6) = {⊥} Exercise: define other tests that distinguish between P5 and P6.

page 156

Examples (d)

• a

a

• b

a

• a

a

• a
• a

a

• b

a

• a
• a
• P7

P8 Exercise: Define tests that distinguish between P7 and P8.

page 157

Note: Every test has an inverse: SUCC = FAIL FAIL = SUCC

• a. T

=

• a. T
• a. T

=

• a. T

T1 ∧ T2 = T1 ∨ T2 T1 ∨ T2 = T1 ∧ T2 ∀T = ∃T ∃T = ∀T We have:

• 1. ⊥ ∈ O(T, P ) iff ⊤ ∈ O(T , P )
• 2. ⊤ ∈ O(T, P ) iff ⊥ ∈ O(T , P )

page 158

The equivalence induced by these tests: P ∼T Q

def

= for all T , O(T, P ) = O(T, Q). Theorem ∼ = ∼T – The proof is along the lines of the proof of characterisation of bisimulation in terms of modal logics (Hennessy-Milner’s logics and theorem) – A similar theorem holds for weak bisimilarity (with internal actions, the definition of the tests may need to be refined)

page 159

Testing equivalence

– The previous testing scenario requires considerable control over the processes (eg: the ability to copy their state at any moment) One may argue that this is too strong – An alternative: the tester is a process of the same language as the tested process (in our case: an LTS) – Performing a test : the two processes attempt to communicate with each

• ther.

– Thus most of the constructs in the previous testing language are no longer appropriate (for instance, because they imply the ability of copying a process) – To signal success, the tester process uses a special action w ∈ Act

page 160

Outcomes of running a test

Experiments: E ::= T, P | ⊤ A run for a pair T, P : a (finite or infinite) sequence of esperiments Ei such that

• 1. E0 = T, P
• 2. a transition Ei

a

− → Ei+1 is defined by the following rules: T

a

− → T ′ P

a

− → P ′ T, P − → T ′, P ′ T

w

− → T ′ T, P − → ⊤

• 3. the last element of the sequence, say Ek, is such that there is no E′

such that Ek − → E′.

page 161

We now set: ⊤ ∈ O(T, P ) if T, P has a run in which ⊤ appears (ie, T, P = ⇒ ⊤) ⊥ ∈ O(T, P ) if there is a run for T, P in which ⊤ never appears Testing equivalence (≃): the equivalence on processes so obtained Note: If processes could perform internal actions, then other rules would be needed: T

τ

− → T ′ T, P − → T ′, P P

τ

− → P ′ T, P − → T, P ′

page 162

O(T, P ) is a non-empty subset of the 2-point lattice ⊤ ⊥ However, there are 3 ways of lifting such lattice to its non-empty subsets: ℘May ℘Must ℘Testing {⊤} = {⊤, ⊥} {⊥} {⊤} {⊥} = {⊤, ⊥} {⊤} {⊤, ⊥} {⊥} ℘May : the possibility of success is essential ℘Must : failure is disastrous The resulting equivalences are ≃May (may testing) and ≃Must (must testing) Note: ≃Testing is ≃

page 163

Results for the test-based relations

Theorem

• 1. ≃= (≃May ∩ ≃Must)
• 2. ≃May coincides with trace equivalence
• 3. ≃ coincides with failure equivalence

page 164

Example

• a
• b
• c

d

• a
• b

b

• c
• d
• a

a

• b
• b
• c
• d
• P9

P6 P5 P9 ≃May P5 ≃May P6 P9 ≃Must P5 ≃Must P6 P9 ≃ P5 ≃ P6 P9 ∼ P5 ∼ P6

page 165

• a
• τ
• a
• Q1

Q2 In CCS: Q1 = τ ω | a, and Q2 = a. 0 Q1 and Q2 are weakly bisimilar, but not testing equivalent Justification for testing: bisimulation is insensitive to divergence Justification for bisimulation: testing is not “fair” (notions of fair testing have been proposed, and then bisimulation is indeed strictly included in testing)

page 166

All equivalences discussed in these lectures reduce parallelism to interleaving, in that

• a. 0 | b. 0 is the same as a. b. 0 + b. a. 0

Not discussed in these lectures: equivalences that refuse the above equality (called true-concurrency, or non-interleaving)

page 167

Bisimulation and Coinduction: examples of research problems

page 168

– Bisimulation in higher-order languages – Enhancements of the bisimulation proof method – Combination of inductive and coinductive proofs (eg, proof that bisimilarity is a congruence) – Languages with probabilistic constructs – Unifying notions

page 169